Cloud computing is a computing infrastructure for enabling ubiquitous access to shared pools of servers, storage, computer networks, applications and other data resources, which can be rapidly provisioned, often over a network, such as the Internet. For example, a “data resource” as used herein may include any item of data or code (e.g., a data object) that can be used by one or more computer programs. In example embodiments, data resources are stored in one or more network databases and are capable of being accessed by applications hosted by servers that share common access to the network database. A data resource may, for example, be a data analysis application, a data transformation application, a report generating application, a machine learning process, a spreadsheet or a database, or part of a spreadsheet or part of a database, e.g. records.
Some companies provide cloud computing services for registered customers, for example, manufacturing and technology companies, to create, store, manage and execute their own resources via a network. Users within the customer's domain, and other users outside of the customer's domain, e.g., support administrators of the provider company, may perform one or more actions on one or more data resources, which actions may vary from reading, authoring, editing, transforming, merging, or executing. Sometimes, these resources may interact with other resources, for example, those provided by the cloud platform provider. Certain data resources may be used to control external systems.
When providing access to cloud-based computing services, such as a data processing platform for performing said one or more tasks, an authentication service may be provided that typically provides a basic login workflow. Some external organisations utilising the cloud-based services may have peculiar requirements for login flows, for example, in terms of the protocols they implement, the complex organizational structure they represent, and/or the various compliance/auditing requirements they impose. For example, some external organisations may wish to enable a login session for their data resources using a simple one-factor authentication method, e.g., username and password. Other external organisations may wish to use multi-factor authentication methods, e.g., by means of sending a challenge to a user device (e.g. mobile phone) or email account for response, after the username and password first-factor has been verified. Some external organisations may wish to require a terms of service agreement to be agreed to by the user before a login session can be established, and so on.
It can be complex for provider organisations to implement such varied login workflows for multiple different customer requirements.
It is also known for provider organisations to outsource at least part of their one-factor authentication service to external services called Identity Provider (IdP). In this way, the user authenticates themselves, e.g., with username and password, to the IdP via a webpage, and the returned page contains a form with a success or failure assertion which is then submitted to the provider organisation's login webpage for establishing a login session, if successful.
Integrating varied login workflows with such IdP systems adds a further layer of complexity.
Further, even with multi-factor authentication workflows, there exist potential problems. For example, care must be taken to ensure malevolent users cannot bypass the second factor through phishing attacks. For example, an attacker who has compromised the first-factor stage might attempt to forward a URL for the next challenge to the genuine user, who may then respond to the challenge, unaware of the malevolent user's intent and the fact that they are partly logged-in.